Storing OAuth tokens in the browser leaves SPAs vulnerable to theft via cross-site scripting (XSS), since tokens in Local Storage are accessible to any injected JavaScript. The Backends for Frontends ...